IETF Logo Mail Archive

[Acme] [Technical Errata Reported] RFC8555 (8381)

RFC Errata System <rfc-editor@rfc-editor.org> Tue, 15 April 2025 22:49 UTC

Return-Path: <wwwrun@rfcpa.rfc-editor.org>
X-Original-To: acme@ietf.org
Delivered-To: acme@mail2.ietf.org
Received: from rfcpa.rfc-editor.org (unknown [167.172.21.234]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id AB73F1C9BCA3; Tue, 15 Apr 2025 15:49:26 -0700 (PDT)
Received: by rfcpa.rfc-editor.org (Postfix, from userid 461) id 759AB22A2CB; Tue, 15 Apr 2025 15:49:26 -0700 (PDT)
To: rlb@ipv.sx, jsha@eff.org, cpu@letsencrypt.org, jdkasten@umich.edu, debcooley1@gmail.com, paul.wouters@aiven.io, ynir.ietf@gmail.com, tomofumi.okubo@gmail.com
From: RFC Errata System <rfc-editor@rfc-editor.org>
Content-Type: text/plain; charset="UTF-8"
Message-Id: <20250415224926.759AB22A2CB@rfcpa.rfc-editor.org>
Date: Tue, 15 Apr 2025 15:49:26 -0700
Message-ID-Hash: EMCBISPB3ZW3QMXZQV5NLAWLCMP5K4R5
X-Message-ID-Hash: EMCBISPB3ZW3QMXZQV5NLAWLCMP5K4R5
X-MailFrom: wwwrun@rfcpa.rfc-editor.org
X-Mailman-Rule-Hits: nonmember-moderation
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-acme.ietf.org-0
CC: erik+ietf@nygren.org, acme@ietf.org, rfc-editor@rfc-editor.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [Acme] [Technical Errata Reported] RFC8555 (8381)
List-Id: Automated Certificate Management Environment <acme.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/dWD-rXpnkYTb9BMu-oup97tFy0w>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Owner: <mailto:acme-owner@ietf.org>
List-Post: <mailto:acme@ietf.org>
List-Subscribe: <mailto:acme-join@ietf.org>
List-Unsubscribe: <mailto:acme-leave@ietf.org>

The following errata report has been submitted for RFC8555,
"Automatic Certificate Management Environment (ACME)".

--------------------------------------
You may review the report below and at:
https://www.rfc-editor.org/errata/eid8381

--------------------------------------
Type: Technical
Reported by: Erik Nygren <erik+ietf@nygren.org>

Section: 8.3

Original Text
-------------
   3.  Dereference the URL using an HTTP GET request.  This request MUST
       be sent to TCP port 80 on the HTTP server.

Corrected Text
--------------
   3.  Dereference the URL using an HTTP GET request.  This request MUST
       be sent to TCP port 80 on the HTTP server.  (The HTTP client must
       not resolve and/or must ignore any HTTPS DNS RRs [RFC 9460].)

Notes
-----
Doing a DNS lookup of an HTTPS DNS RR [RFC 9460] might force the client to switch from HTTP to HTTPS scheme which would break HTTP-01 lookups.  The RFC8555 text is clear that "request MUST be sent to TCP port 80 on the HTTP server" which would be violated if the validating client did an HTTPS RR lookup in the DNS and followed the instructions in RFC 9460 section 9.5.

Instructions:
-------------
This erratum is currently posted as "Reported". (If it is spam, it 
will be removed shortly by the RFC Production Center.) Please
use "Reply All" to discuss whether it should be verified or
rejected. When a decision is reached, the verifying party  
will log in to change the status and edit the report, if necessary.

--------------------------------------
RFC8555 (draft-ietf-acme-acme-18)
--------------------------------------
Title               : Automatic Certificate Management Environment (ACME)
Publication Date    : March 2019
Author(s)           : R. Barnes, J. Hoffman-Andrews, D. McCarney, J. Kasten
Category            : PROPOSED STANDARD
Source              : Automated Certificate Management Environment
Stream              : IETF
Verifying Party     : IESG

v2.30.2 | Report a Bug | By Email | System Status